Posted Jan 10, 2005 17:02 UTC (Mon) by pjs
In reply to: RFPolicy
Parent article: grsecurity 2.1.0 and kernel vulnerabilities
Yes, but apparantly best (or even remotely good) practices don't apply here.
You see, they couldn't contact vendor-sec because they don't trust vendor-sec anymore due to the recent botched handling of the uselib bug.
So they contacted Linus and Adrew directly. When emails went unanswered for 3 weeks, Linus and Andrew couldn't be trusted anymore either.
So, you can clearly see it follows from the above that the only practice left, having exhausted all the "best" ones, is to release details and exploit code for new and previously discovered bugs, with an angry rant. With such a zero-tolerance policy for mis-handling of bug reports, it's easy to quickly run out of options.
to post comments)